Pages

Thursday, July 14, 2016

Samba 4.4.5 SMB for Linux released

Samba 4.4.5 recently released, is an implementation of the Server Message Block (SMB)/Common Internet File System (CIFS) protocol for Unix systems, providing support for cross-platform file and printer sharing with Microsoft Windows, OS X, and other Unix systems. It can function both as a domain controller or as a regular domain member.

This is a security release in order to address the following defect:

It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags.

This means that the attacker can impersonate a server being connected to by Samba, and return malicious results.

The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking to domain controllers as a member server, and trusted domains as a domain controller. These DCE/RPC connections were intended to protected by the combination of "client ipc signing" and "client ipc max protocol" in their effective default settings ("mandatory" and "SMB3_11").

Additionally, management tools like net, samba-tool and rpcclient use DCERPC over SMB2/3 connections.

By default, other tools in Samba are unprotected, but rarely they are configured to use smb signing, via the "client signing" parameter (the default is "if_required"). Even more rarely the "client max protocol" is set to SMB2, rather than the NT1 default.

If both these conditions are met, then this issue would also apply to these other tools, including command line tools like smbcacls, smbcquota, smbclient, smbget and applications using libsmbclient.Changes since 4.4.4: